The task of analyzing malicious software applications' behaviors is challenging due to the enormous number of code samples received into email environments, with limited amount of analyst time and resources. This detection work usually starts with an analyst classifying samples into known and unknown malware.

Fuzzy hashing is a type of compression function for calculating the similarity between digital files. It attempts to automate the process of grouping similar malware. Fuzzy hash functions hold a certain tolerance for changes, and can tell how different two files are by comparing the similarity of their outputs. This property is desirable for clustering malware campaigns, as they often use multiple variants from the same family that performs the exact same set of behaviors, but have different cryptographic hashes. The comparison function should provide some usable metric or distance, by which we can decide whether the inputs are similar or not.

Configuring a Content Examination definition allows you to utilize this fuzzy hash function. You can:

Upload a control document. This must be created before adding to the definition.

Use fuzzy hashing to compare its content with the content inside attachments.

Specify a description for the file. The description is visible to administrators when viewing the definition, or selecting entries from the list of previously generated hash values.

Fuzzy Hash Type

Specify the type of fuzzy hash you would like to generate. The options are:

Mimecast Fuzzy Hash (MFH): This ignores any images in an attachment, basing it's similarity score on the attachment's text. With this option:

The control file must be a minimum file size of 4 KB.

All images should be removed from the control document to reduce the time taken to generate the fuzzy hash.

SSDEEP: This uses the entire attachment (including text and images) to determine how similar one file is to another.

Both: Both MFH and SSDEEP are used.

New File Upload

Click the Browse button to select the control document file. Only one file can be selected.

Click on the Generate button.

Adding a Fuzzy Hash to a Content Examination Definition

Once you've created a fuzzy hash definition, you can add it to a Content Examination definition. This enables you to define the criteria that must be met before your configured actions take effect.

Log on to the Administration Console.

Click on the Administrationmenu item. A menu drop down is displayed.

Click on the Gateway| Policies menu item.

Hover over the Definitionsbutton. A list of the definition types is displayed.

Click on the Content Examinations definition type from the list. The list of definitions is displayed.

Select a Folderin the hierarchy. Definitions cannot be placed in the "Root" folder.

Either click on the:

Definition to be changed.

New Content Definition button to create a definition.

To enter the fuzzy hash in the Word / Phrase Match List field:

Click on the Insert | Fuzzy Hash menu item.

Complete the Policy Definition dialog as follows:

Field / Option

Description

Fuzzy Hash Definition

Click on the Lookupbutton to display a list of all fuzzy hash files. Click on the Select link to the left of the fuzzy hash you wish to use.

Line Score

Specify a value to assign to the fuzzy hash. This is measured against the definition's activation score.

Append

This controls where a fuzzy hash is placed in the "Word / Phrase Match List". If selected, the fuzzy hash is added to the bottom of the list. If disabled, the fuzzy hash is added to the top of the list.

Click the Save and Exit button. The fuzzy hash and line score are displayed in the "Word / Phrase Match List".

Click on the Fuzzy Hash Setting field to specify a similarity percentage value. This is applied to all the fuzzy hashes defined in the "Word / Phrase Match List".

I have tried to generate a Mimecast Fuzzy Hash of files up to 85 KB, and I received the message that the file was too small, even though they are all much larger than the 4 KB minimum specified here. I can only generate SSDEEP hashes for these files. Is this an error in the documentation or a bug in the Admin console?